Linux full disc encryption

E

etcetera

Active Member
Joined
Mar 10, 2024
Messages
159
Reaction score
35
Credits
1,880
I am running xubuntu but this is really applicable for any distro as they likely use the same underlying mechanism.
I encrypted all my hardware for security purposes, but now I am wondering about the under-the-hood implementation, what algorithms do they use, how big is the key size, has it been audited, et cetera.
I run PCIe/NVME SSDs like Samsung 870 and it's reasonably fast. The boot time + decryption went from 30 seconds to over a minute. But still nowhere near as long as when I had HDD. Just curious if anyone else does this and how good/bad does it perform.

I am talking about this:

jumpcloud.com

How to Enable Full Disk Encryption in Ubuntu 22.04 - JumpCloud

Learn how to enable full disk encryption in Ubuntu 22.04 using Linux Unified Key Setup (LUKS) in this tutorial.
jumpcloud.com jumpcloud.com
 


I generally see encryption of a drive as pure overkill unless you are involved in top secret stuff. Otherwise it is just something else for people to get themselves in trouble with. Lost Key or password, problem in computer and drive. So much to go wrong and encryption just makes it harder or impossible to recover. Not sure what your security purposes are but I hope they are worth the risk.
With linux we are already pretty secure, can't just grab your linux HDD and put it into a windows computer and pull data. The other way works tho. I just do not see any good reason for 99% of people to encrypt a personal or even work drive.
 
Making the long story short, if your LUKS header gets damaged, all data is gone. You would be surprised at the people who do not back up their LUKS Header. To prevent this from happening, we need to create a header backup. This can be done by issuing the following command:

sudo cryptsetup luksHeaderBackup <device> --header-backup-file <file>
Click to expand...

Where <device> is a LUKS volume disk and <file> is a name of a header backup file to be created. In this case the LUKS is on an external HD

sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /root/sdb1-header-backup
Click to expand...

The file is now in the /root folder which is hidden and you need root acces to get to it from there you can move it to anywhere else like to a thumb drive if you choose

Note: It is often recommended to backup the headers securely, i.e. on a encrypted drive. However, “I put mine on /boot, as this is an unencrypted partition, and the file is small (2MiB).
There’s no great security loss in this – anyone with physical access (or root access) to your device can simply dump the header anyway so it don't matter. If you’re really worried though, save it somewhere safe, or print it out, and store it somewhere else“.

In case of disaster where your LUKS header gets broken, you can restore it by issuing the following command:

sudo cryptsetup luksHeaderRestore <device> --header-backup-file <file>
Click to expand...

WARNING: LUKS header restoration procedure will replace all key-slots, therefore only the passphrases from the backup will work afterwards!

sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /root/sdb1-header-backup
Click to expand...
 
APTI said:
I generally see encryption of a drive as pure overkill unless you are involved in top secret stuff.
Click to expand...

There is such a long list of reasons to encrypt every device you have.

For example the world as we know it today is kind of divided into partitions, and there is a new Axis of Evil - Not going to name the countries but you can easily figure it out yourself based on what's going on the eastern Europe. If you ever go to any one of these countries and stay at a hotel, as an American you are automatically targeted for further investigation. Like, hotel staff work for the secret service type of thing and they will dial them after you check in. Room 303, we have an American guest there. So you go walking around, looking at culturally significant artifacts in the city and meanwhile the IT department of the agency will take your hardware in the hotel room and clone it, so they can dig into it later. Laptop, phone, camera, anything. It has been SOP since 1980's and probably way before that.
Add hostile middle eastern countries to the list.

If that is not enough, here is an even more likely scenario, which you may think will never bite you, but it can and does about 50% of American men: You are in the middle of a high-conflict divorce, say a custody fight, and an SOP in a custody fight is a false protective order. They perjure themselves and you get kicked out from the house for a week or two. Meanwhile your STBX has access to your all computer equipment. You can remember to take your laptop but inevitably you will forget to take your desktop or laptop #2 or such. Because when they serve a PO they give you 5-10 min to get all your stuff and leave.
So the ex has full custody of the kids and all your computer hardware, which she then can pay an IT guy to access, all your disks and see if any info you have can be useful in the upcoming trial.
When there a custody trial over kids, you have no idea how low a person can sink. Including planting a keylogger after paying an IT guy to open your non-encrypted machine.
Things get real ugly real fast.
Or when the trial is over some large piece of property, or such, and millions are at stake.

Comms security is even more essential:
General Petraeus didn't think he would be involved either, but went down over unencrypted messages:

www.aclu.org

Surveillance and Security Lessons From the Petraeus Scandal | ACLU

www.aclu.org
 
GatorsFan said:
Making the long story short, if your LUKS header gets damaged, all data is gone. You would be surprised at the people who do not back up their LUKS Header. To prevent this from happening, we need to create a header backup. This can be done by issuing the following command:
Click to expand...

This is great stuff. I will implement it ASAP. Thank you. I owe you an adult beverage.
 
etcetera said:
There is such a long list of reasons to encrypt every device you have.

For example the world as we know it today is kind of divided into partitions, and there is a new Axis of Evil - Not going to name the countries but you can easily figure it out yourself based on what's going on the eastern Europe. If you ever go to any one of these countries and stay at a hotel, as an American you are automatically targeted for further investigation. Like, hotel staff work for the secret service type of thing and they will dial them after you check in. Room 303, we have an American guest there. So you go walking around, looking at culturally significant artifacts in the city and meanwhile the IT department of the agency will take your hardware in the hotel room and clone it, so they can dig into it later. Laptop, phone, camera, anything. It has been SOP since 1980's and probably way before that.
Add hostile middle eastern countries to the list.

If that is not enough, here is an even more likely scenario, which you may think will never bite you, but it can and does about 50% of American men: You are in the middle of a high-conflict divorce, say a custody fight, and an SOP in a custody fight is a false protective order. They perjure themselves and you get kicked out from the house for a week or two. Meanwhile your STBX has access to your all computer equipment. You can remember to take your laptop but inevitably you will forget to take your desktop or laptop #2 or such. Because when they serve a PO they give you 5-10 min to get all your stuff and leave.
So the ex has full custody of the kids and all your computer hardware, which she then can pay an IT guy to access, all your disks and see if any info you have can be useful in the upcoming trial.
When there a custody trial over kids, you have no idea how low a person can sink. Including planting a keylogger after paying an IT guy to open your non-encrypted machine.
Things get real ugly real fast.
Or when the trial is over some large piece of property, or such, and millions are at stake.

Comms security is even more essential:
General Petraeus didn't think he would be involved either, but went down over unencrypted messages:

www.aclu.org

Surveillance and Security Lessons From the Petraeus Scandal | ACLU

www.aclu.org
Click to expand...
no offense meant but this sounds more like a paranoid version of things. Not saying to not be careful but none of that is reason to go into the rabbit hole of encryption. You sited the 2% of people that needed it. the other 98% are not doing anything that wild that requires so much over security.
If people want into your stuff that much, trust me encrypted drives will not stop them. Gov't will just grab all your systems when you are not expecting it and then your encryption is useless because they start up and crack a password. Poof instant access. Or break in and access the computer when you do not expect. So many things they will do that encryption will not stop.

However you are warned. If you encrypt and lose it because of a screw up, which is by far the more likely event, I have the word.... "I Told You So".
 
You must log in or register to reply here.

Members online

Total: 858 (members: 4, guests: 854)

Latest posts

Top